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AWS Marketplace introduction 


In this whitepaper, SANS analyst and instructor, Matt Bromiley, shows how to apply the same EDR/NDR 
concepts to your cloud asset protection strategy. He compares on-premises versus cloud security options and 
identifies what to maintain or change after migrating your workloads. Also included are customer stories of 
using EDR/NDR as a one-two punch against cyberattacks. 


The featured solutions for this use case can be accessed in AWS Marketplace: 


CrowdStrike ExtraHop Networks Trend Micro 
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Introduction 


For many years, security postures have been based on implementing various types of defenses 
at both the endpoint and network levels. What started out as simple antivirus and firewalls has 
morphed into a complex combination of advanced detection and response technologies that 
work together to mitigate security events. However, just as security controls have grown, so has 
the composition of the average enterprise. 


Once a hub-and-spoke collection of physical assets and satellite locations, enterprises are 
now multinational behemoths with a combination of on-premises and Amazon Web Services 
(AWS) assets, with many organizations trending more and more toward the latter. Enterprises 
change, and security postures need to do the same. While aware of their AWS footprints, 
security teams have often claimed that they need the same level of visibility in AWS to offer 
the same types of protection. 


Do endpoint and network detection and response (EDR/NDR) capabilities cease once an 
organization moves to AWS? Do they become the provider's responsibility, rather than the 
organization’s security team’s responsibility? Of course not! In this whitepaper, we examine the 
challenges associated with this change. We believe that an endpoint Is still an endpoint, whether 
it's a physical laptop or an Amazon Elastic Compute Cloud (Amazon EC2) instance. And the network 
is still the network. Packets traverse the client-server model Just like they do with serverless 
functions. Security programs should keep up with new technology, not shy away from it 


Incorporating cloud-based detection and response technologies in your AWS stack is a must for 
security teams going forward. We see little reason for business models to move away from cloud 
adoption. Future growth is measured in the tens or hundreds of billions? Therefore, security 
teams should get ahead of the curve now. 


Some key takeaways we examine in this whitepaper include: 


¢ Cloud spending, specifically with AWS, shows no sign of slowing down—thus, your 
organization should be investing in tools, people, and processes to secure these assets. 


« AWS assets change the concept of an “endpoint,” but it’s still important for you secure that 
endpoint against bad actors. 


¢ As you grow your footprint in AWS, consider the security options you can wrap around 
your endpoints and network. Solutions can be efficiently procured and deployed from AWS 
Marketplace, allowing for same-day or quick-turnaround security implementations. 


* Managed options, such as managed detection and response (MDR), allow for rapid 
implementation with the expertise of a knowledgeable third party to help defend against 
bad actors. 


Regardless of your role, as you work your way through this whitepaper, you should be cognizant 
of your own environment. Consider how much of your enterprise is in AWS and how your security 
approach differs between on-prem and AWS assets. Do you have equally robust and capable 
detection and response processes for each? If not, it might be time to consider changes to 
equalize them. 


' This paper mentions solution names to provide real-life examples of how security tools can be used. The use of these examples is not an endorsement 
of any solution. 


? “Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 23% in 2021,” Gartner, April 21, 2021, 
www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021 


Analyst Program alll Securing Your Cloud Environment with Endpoint and Network Detection and Response (EDR/NDR) Technologies 


A Look at EDR/NDR: Then vs. Now 


Before examining detection and response technologies to enrich and enhance your AWS 
stack, It is important to understand why a special touch is required. As mentioned earlier, 
many security postures are rooted in legacy approaches and technology. These policies 
and processes were built around the physicality of on-prem assets. Employees have 
laptops and desktops. Servers are physical boxes housed somewhere in a data center. 
There is a standard set of hardware- and software-based options to protect physical 
environments. It has been this way for years. 


Granted, the past few years have seen rapid adoption of remote work capabilities and 
assets and services in the cloud. The past 24 months, with the global COVID-19 pandemic, 
contributed to much of this acceleration, with some organizations going from 0% cloud 
usage to more than 50% in less than 12 months. Time and time again the pandemic 
accelerated the plans of many organizations’ cloud adoption plans. 


The key consideration is that the security component of any organization must be able 
to adapt to business operations and process changes. This is straightforward to do when 
a business simply opens or closes more offices or deploys more physical assets. The 


security approach is simple: Follow the processes and do “what we ee . 
If your organization is already using AWS, perhaps 


did before.” Limit firewall ports—open only what is necessary. Buy you've already thought about how to branch your 


physical security devices, and tag and deploy gold images. The rest is security posture to your AWS assets. If so, great! You're 
business as usual. one step ahead of many. Nevertheless, we recommend 

; ; : assessing your security controls regularly to help ensure 
Deployments in AWS flip these models on their head. Assets are not that they are providing the coverage expected. 


physically located in managed areas; rather, they are simply software 

and API keys, deployed around the globe. Developers can spin up internet-facing services 
in milliseconds, faster than a security team can make a firewall change request. These 
changes are great for allowing the business to move at customer speeds, but they do little 
for archaic approaches to security. 


The differences between on-prem and AWS do not remove the need for security, nor 
do they require a complete overhaul of existing security practices. In this paper, we're 
suggesting that technologies such as EDR/NDR are great for both on-prem and AWS 
deployments. An endpoint in AWS is still an endpoint. Network packets traverse the 
internet and providers like they do internal networks. 


The biggest change needed may be a redefinition of assets by security teams. AWS often 
separates various components into well-known services such as compute (a virtual 
machine), Amazon $3 buckets (storage), or containers. Rather than think about a file 
server, think about files and a server as two separate services. From an AWS resource and 
billing perspective, this might also be data versus compute. While the need to protect 
both remains the same, the approach differs. Security teams already have ways to defend 
these types of assets on-prem. All that’s needed is to branch the idea of protecting an 
endpoint or the network on-prem to one in AWS. 
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EDR/NDR in AWS 


Security teams changing their perspective on AWS assets is much easier said than done. 
AWS Marketplace, the one-stop shop for effortlessly integrated solutions and third-party 
services, offers numerous choices for detection and response technologies. While we do 


not cover them in length in this paper, it’s worth noting that organizations can effortlessly 
integrate multiple SaaS security solutions, including SOAR and threat intelligence 
capabilities, as simply as the ones we explore next. 


EDR in AWS 


One of the benefits of AWS Marketplace is the ease with which you can purchase and 
implement solutions. EDR capabilities in AWS can be accessed via a quick search, as 


shown in Figure 1. 


> 
accenture 


AH=AD 


S 


~ 


CROWDSTRIKE 


SOPHOS 


Analyst Program all 


Accenture MDR: Advanced Endpoint Response (AER) 


By Accenture 


Accenture AER is supported by Accenture's Managed Detection & Response (MDR) expert security 
team. Accenture MDR SOC Analysts proactively examine suspicious threat activity to identify 
emerging and unknown threats across on-premise and cloud endpoints, using forensics data 
coupled with machine... 


Endpoint Detection and Response as a Service 
By AHEAD 


Service Overview The Managed Endpoint Detection and Response services provides the peace of 
mind to Customers that cybersecurity threats to their organization and ensures they are being 
properly handled by highly trained incident responders following industry standard procedures and 
processes, 24/7... 


CrowdStrike Falcon Cloud Security 

By Crowdstrike 

Stopping breaches using cloud-scale data and analytics requires a tightly integrated platform. Each 
function plays a crucial part in detecting modern threats, and must be designed and built for 
speed, scale, and reliability. CrowdStrike's experience in operating one of the largest cloud... 


Sophos Central Cybersecurity - Secure Workloads, Data, Apps, and Access 
By Sophos 


Sophos provides powerful and effective cybersecurity, designed to be accessible and manageable 
for any organization - from schools, hospitals, local government, healthcare, and businesses of 
every shape and size. Available through the Sophos Central platform, a single pane of glass, born in 
the cl... 


Figure 1. Sample of EDR Offerings in AWS Marketplace 
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Many offerings begin with visibility into Amazon EC2 instances, relying on traditional 
agent-based approaches to provide insight and detection and response capabilities. The 
beauty of traditional agent-based approaches is that organizations can combine visibility 


from their on-prem and AWS- 
based assets into a central 
location. See Figure 2 fora 


sample depiction of this strategy 
with the Falcon Platform from 


CrowdStrike. 
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Figure 2. Sample EDR Strategy in the 


benefit to an AWS-aware EDR solution is the capability to quickly spin up an instance and CrowdStrike Falcon Platform 


employ detection and response capabilities almost immediately. Every service offered in 
AWS is a SaaS solution, meaning integration with current or establishment of new security 


controls is quick and effortless. 


Managed Detection and Response 


When exploring various detection and response options 
in AWS, you may gravitate toward incorporating multiple 


Viewed as a step up from self-managed EDR technologies, there sources into a single platform and wrapping as much 


is also the option of managed detection and response (MDR) 


offer additional insight and experience in detecting and hand 
potential security events. 


tis worth noting that an MDR service often utilizes the same 


capabilities in AWS Marketplace. The benefit of an MDR solution is 
the ability to outsource part or all of needed security operations 


automation around your detection and response 
capabilities as possible. This quickly approaches 
the concept of extended detection and response 
(XDR), which is a combination of all things. (We highly 


SecOps) capabilities to a trusted third party that may be able to recommend checking out our AWS paper on XDR:) 


ing 


technologies as a self- 


directed or managed security team. In fact, an MDR service will likely incorporate as many 


evidence sources as possible so it can offer the most service. 


talso may look at bringing 


EDR and NDR telemetry together in one place. But the true value is bringing third-party 
expertise to the table, often offering additional services such as threat intelligence, alert 


triage, and incident response and containment. 


3 “(Re)Defining XDR: How to improve threat detection and response in AWS,” 
https:/ /pages.awscloud.com/AWSMP-Whitepaper-SEC-XDR-en.html [Registration required. ] 
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Other Endpoints 


tis highly likely that among your AWS deployment, your organization utilizes AWS 
products that go beyond the EDR offerings in AWS Marketplace. In this case, the type of 
visibility and/or control over the endpoint may differ from traditional EDR technologies 
think serverless functions, API gateways, etc.). However, the only difference is that you 
cannot put a traditional agent on the endpoint. Believe it or not, security teams have 
faced this challenge for several years. 


Outside of EDR offerings on compute instances, AWS Marketplace offers robust logging 
and other integrated security offerings to help ingest, parse, normalize, and analyze those 
logs. See Figure 3 fora sample dashboard from Sonrai Security, which taps into multiple 
AWS resources, including Amazon 


$3 buckets, Amazon Relational 
Database Service (Amazon RDS), 


Amazon Aurora, and Amazon 
DynamoDB. The platform monitors 
these asset types, and more, while 


= 


providing real-time insight. 


Security teams need not throw 


up their hands and say, “If there’s 


no agent, we can’t monitor it” 
Rather, log forwarding policies 
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can be implemented at the 
global level and provide security 
teams lightweight insight into 


; : bes : Figure 3. Sample EDR Dashboard 
their assets. This can be a plus to a traditional EDR dashboard because teams will have from Sonrai Security 


multiple vantage points into some assets. 


Combining On-Prem with AWS 


While we have seen aggressive cloud adoption by many organizations, some are still 
protecting a multi-environment and this may not change. We would expect that some 
organizations will be unable to move entirely to AWS, especially if their business 
operations require physical assets or “people in places.” In such cases, security teams 
should look for solutions and/or controls that enable them to approach their multi- 
environment as one, rather than two separate environments. 


While exploring the idea of EDR and NDR solutions in AWS, we found ourselves looking 


for how effortlessly security approaches can be combined. Can we look for—or should 
we expect—integration among tools? Should platforms be able to work together? 
Should SIEMs be able to combine data? We think so. As you look for solutions for your 
environment, be sure that you are considering your entire footprint—AWS and more. Your 
team should look for ways to combine solutions so that they can see the entire footprint 
in. one go. After all, bad actors have no problem discerning between the tech and neither 
should your security team. 
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NDR in AWS 


While some organizations may find a limit with EDR solutions (e.g, products not covered 
or varying levels of coverage), NDR technologies are plentiful. Given the requirement of 
the network between all services and products, it is trivial to tap into data such as network 
packets, Amazon VPC Flow Logs (NetFlow, in other context), or protocol-specific offerings 
(such as DNS) to gain insight and detect and respond to security events. 


NDR offerings and implementation are like EDR in that SaaS-based solutions can be 
effortlessly soun up to accommodate new installations or data can be integrated into 


a current platform. Organizations with existing on-prem platforms can also utilize SaaS 


capabilities to integrate with 
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e . subnet-Oe3bb47568fcf4145 
security events across multiple 


Top Protocols Out ~ 


Known Aliases 


environments. As we've said time aie Sees Gee 
and time again, where the endpoint fails, the network will often succeed. Bad actors look a Saas-Based NDR Platform 
at systems as pivot points, finding ways to move across services from one to the other, 


finding data of interest. This creates an opportunity for detection that seasoned NDR 
offerings should be able to detect. 


Additional NDR Features 


Beyond what we'll call basic NDR functionality (detecting and responding to security 
events), we recommend looking for NDR offerings that can help security teams achieve 
their job faster. Additional NDR features may include various levels of automated 
response, such as blocking of traffic, closing of ports, or shutting down access to 
applications at certain thresholds. 


Anytime security teams can automate and integrate their playbooks and response actions, 


the tool can help them move faster. Wrapping an NDR solution around an AWS stack is 


a powerful way to limit the success rates of bad actors’ campaigns. We expect that any 
reduction in success rates of bad actors is an increase in SOC team productivity—an equal 
trade-off that we will take any day. 
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Case Study 1: Web Application Breach 


Our first case study looks at a common use of AWS technologies: hosting internet-facing 
assets, such as a web application, in AWS as a way to help ensure resiliency, global 
availability, and other benefits achieved via AWS. For all intents and purposes, the web 
application itself can be thought of as an endpoint. As we examined earlier in this paper, 
we want to expand our thinking of endpoints, regardless of how the web application is 
served up. Thus, we want to wrap security around it, just like we would a physical system. 


Consider a bad actor who is looking for access to a web application. The common 
approach Is to test the web application for various vulnerabilities in the hopes of 


discovering an entry vector the bad actor can use to access unauthorized account 
credentials, execute remote code, access an internal system, and/or any combination of 
events thereof. While these may seem like simple or low-level security events, they have 
resulted in significant security events in recent years. 


These types of events are what AWS WAF were designed for. As shown in Figure 5, native 
AWS solutions can be deployed in front of various AWS assets to help protect them from 


web exploits. 
1 ! j " 
es] Amazon Sean 
o~ \ y, CloudFront \ 
{ ? { )y } Application 
Load Balancer 
AWS Firewall i — 
Manager AWS WAF Amazon API Create a policy Block & Filter Monitor 
Manage multiple Body KP Gateway Build your own rules using Protect against exploits Use Amazon CloudWatch 
AWS WAF Protect your web applications the visual rule builder, and vulnerabilities such for incoming traffic metrics 
deployments from common web exploits code in JSON, or deploy as SQLi/XSS attacks; filter out & Amazon Kinesis Firehose 
( & AWS AppSync managed rules maintained unwanted traffic by defining for request details, 
PP>y by AWS and/or sellers specific patterns or by then tune rules based on 
from AWS Marketplace IP address metrics & log data 


Figure 5. Snippet of AWS WAF 


Web applications, regardless of where hosted, need protections against the type of Jrehtiecture 


security events that bad actors are willing to automate, script, and take advantage of. A 
web application firewall does exactly that. It looks for patterns of bad actor testing and 
works to prevent the traffic from reaching the web application. Advanced web application 
frewalls may even examine traffic, looking for lesser-known patterns or techniques, and 


helps prevent them from reaching the web application. 


ote that security teams can also push their tools with custom policies and blocking and 
filtering options (see Figure 5). These capabilities are not new, by any means. We have 
used firewalls for these security needs for decades. Remembering that we want to bridge 
the gap between on-prem and AWS assets, web application firewalls are a great way to 
begin implementing an effective security posture. 
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Case Study 2: Bad Actors in a Multi-Environment 


Our second case study looks at a multi-environment, involving Amazon EC2 instances, or 

cloud-based virtual machines. Organizations across the globe use Amazon EC2 instances 

to set up and use computing resources without having to invest in necessary hardware 

expenses upfront. Because Amazon EC2 instances are virtual machines, they provide an 

interface (such as a terminal or desktop) with which many administrators are familiar, 

but also they have robust API 

capabilities forautomated = | = =  § jicccucewecietecsdies,  peaescenecedceseceecn 
On-Prem Cluster 


scripting and other actions. 
However, because they are 


virtual machines, when ain ~ 
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of a multi-environment, froma 
high level. 


C2 Communications 


As shown in Figure 6, Figure 6. Sample Security Event in a Multi-Environment 
organizations may deploy clusters within Amazon EC2 


and link them back to on-prem clusters of systems. This 
may be a business need, an ongoing project, or even 
representative of a migration. Regardless, it creates 

an expanded footprint. Bad actors are eager to exploit 
these opportunities. However, exploitation may not be 
required if bad actors can get access to unauthorized 
credentials and masquerade as 
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Securing a multi-environment should begin with visibility and insight, which a cloud security 
platform should provide. From there, security teams should look to expand into detection, 
response, and remediation capabilities. Valid questions may include: 


* How does our visibility bring the multi-environment together, allowing security teams 
to view the environment as one? 


« What are our options for detecting unauthorized activity between on-prem and AWS? 
« Can we scale our automated actions and playbooks across multi-environment assets? 


* Once we detect and contain a potential security event, how can we make changes to 
help ensure our multi-environment is protected from the same type of security event? 


These questions and more are good starting points for teams looking to secure their multi- 
environment. The technologies exist and are readily available to quickly deploy and gain 
insight into your AWS environment and more. 


Next Steps 


Far too many organizations have security postures that were created around legacy, on- 


prem environments and limited software uses. This model works fine if the organizational 
infrastructure stays the same. However, as the past few years—and notably, the past 24 
months—have shown, more and more organizations are moving business operations to the 
cloud. And the reality is that security teams need to be ahead of the game to protect their 
security impact area. 


In this whitepaper, we examined the key consideration of detection and response 
capabilities in AWS environments. While an on-prem approach may not transfer 
straightforwardly to AWS environments, the concept of monitoring and incident response at 
the endpoint and network level certainly does. This enables security teams to stick to their 
roots of a combined detection and response approach, instead of redefining what an asset 
is, where it’s located, and what a response process may look like. 


Finally, for any organization deploying to AWS and increasing their footprint, ensure that 
the security team is in-tune with these changes. This allows them to adjust as necessary, 
whether it’s updating an incident response plan, accounting for assets, or accommodating 
an entire business unit moving operations to AWS. When making strategic investments like 
these, the security team should aim to be one step ahead of bad actors. 


SANS would like to thank this paper’s sponsor: 
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Enhance security 
in your AWS Cloud 


Secure Your Cloud Environment with Endpoint and Network Detection 
and Response (EDR/NDR) Technologies 

To achieve a balanced and manageable security architecture for AWS, organizations will likely make use of a 
range of different controls as well as security and operational program elements, some of which are built into 
AWS and others that are procured from AWS Marketplace partners, offering best-in-class security and cloud 


services. These security solutions can be integrated with AWS Services and other existing technologies, 
enabling you to deploy a comprehensive security architecture across your AWS and on-premises environments. 


How customers are leveraging CrowdStrike as part of their AWS Cloud 
security architecture 


The CrowdStrike Falcon platform defends enterprises without compromising speed and performance with a 
cloud-based architecture to secure workloads and workforces anywhere anytime—blocking attacks while 
capturing and recording endpoint activity. Key features of the Falcon platform include: 


o Capturing more than 1 trillion events each day, tracking more than 150 adversaries, and making more 
than 140 million IOA decisions per second. 


o Modular and extensible design that ensures that customers can solve new security challenges with a 
single click—without the need to re-architect or re-engineer the solution. 


o Minimal impact on endpoint performance and end-user productivity. 


o Accelerated threat investigation and response with smart-filtering technology to capture and record 
relevant host activity. 


o Easy deployment with cloud-based architecture for speed and instant operationalization—no reboots 
required after installation. 


o Optimal performance by automating and managing all platform functionality with APIs. 


Seamless integration with existing workflows and CI/CD pipelines. 
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AWS Marketplace is a digital software catalog that makes it easy to find, try, buy, 
deploy, and manage software that runs on AWS. AWS Marketplace has a broad 
and deep selection of security solutions offered by hundreds of independent 
software vendors, spanning infrastructure security, logging and monitoring, 
identity and access control, data protection, and more. 


Customers can launch pre-configured solutions in just a few clicks in both 
Amazon Machine Image (AMI) formats and SaaS subscriptions, with entitlement 
options such as hourly, monthly, annual, and multi-year contracts. 


AWS Marketplace is supported by a global team of solutions architects, product 
specialists, and other experts to help IT teams connect with the tools and 
resources needed to streamline migration journeys to AWS. 


How to get started with EDR/NDR security solutions 
in AWS Marketplace 


Security teams use AWS native services and seller solutions in AWS Marketplace 
to help build automated, innovative, and secure solutions to address relevant 
use cases and further harden their cloud security footprint. The following 
solutions can help you get started: 


@ €xtraHop TREND, 


How to get started with security 
solutions in AWS Marketplace 


Security teams use AWS native services and seller solutions in AWS Marketplace to help build automated, 
innovative and secure solutions to address relevant use cases and further harden their cloud security 
footprint. 


The following solutions can help you get started: 


i I ) 


_—4 
Watch the Discover Talk to 
Webinar Solutions an Expert 
Securing Your Cloud Find the tools you need to Get connected with a solution 
Environment with Endpoint and implement a Zero Trust Model architect that can share best 
Network Detection and Response for Data Analytics Applications practices and help solve your 
(EDR/NDR) Technologies. in AWS. business challenges. 


View On-Demand Visit AWS Marketplace 
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